SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #8
January 29, 2013
TOP OF THE NEWSUS Cyber Command Seeks to Quintuple Cybersecurity Force
Israel Strengthening its Cyber Stance
#javaproblems: Security Problems in Oracle's Java Persist, Despite January Patch
THE REST OF THE WEEK'S NEWSFBI Investigating Leak of US Stuxnet Involvement
Google Facing Legal Action in UK Over Safari Cookies
Anonymous Hacks US Sentencing Commission Website
WordPress Update Addresses Trio of Security Issues
Court Denies WikiLeaks Investigation Suspects' Right to Know What Companies Were Contacted for Information
Yahoo Requires Probable Cause Warrants for Government Requests for eMail Content
Twitter Releases Transparency Report
Google Will Impose More Restrictions on Data Requests and Encourage Legislators to Update ECPA
************************ SPONSORED BY Bit9 *******************************
Do you have unauthorized software running in your environment? If so, you are vulnerable to advanced threats and malware in ways antivirus, IPS and firewalls can't protect you. The Bit9 Trust-based Security Platform continuously monitors and records activity on servers and endpoints to detect and stop cyber threats that evade traditional security defenses. Learn more http://www.sans.org/info/122602
- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials Plus New Delhi, Scottsdale, Brussels, Johannesburg, Abu Dhabi, and Seoul all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org ***************************************************************************
TOP OF THE NEWS
US Cyber Command Seeks to Quintuple Cybersecurity Force (January 27, 2013)The head of the US Defense Department's Cyber Command is seeking to increase its cybersecurity force by a factor of five over the next few years. The change is aimed at improving the country's ability to defend critical networks from attacks and take offensive cyberoperations measures against adversaries. Currently, Cyber Command comprises about 900 people; the plan is to expand that number to 4,900. There would be three types of forces: national mission forces would protect systems that support and operate elements of the country's critical infrastructure; combat mission forces would help plan and launch offensive cyberoperations; and cyber protection forces would strengthen the security of the Defense Department's computer networks. Former deputy defense secretary William J. Lynn III said that a "significant cyberattack on the United States" is highly likely and that "the only question is whether we're going to take the necessary steps like this one ... or ... read about the steps we should have taken in some post-attack commission report."
[Editor's Note (Paller): The new force will be 80% military, 20% civilian - and will come from the individual services. The transformation requires a challenging upgrading of hands-on skills - a thousand hours or more to become functional -- and will seek to rapidly transform people in other billets (less critical security billets and others) into cyber security people with the hands on skills to defend and project power in cyberspace. The key breakthrough in thinking that the planners made is to base the selection of candidates on a competition/talent search among the existing enlisted, officer and civilian force so the investment in training will be made only for people who have a better than average chance to succeed. Two competitions for this purpose are "Security Foundations" (the same one being used by Governor Chris Christie in the New Jersey Governor's Cyber Challenge) for basic talent and "NetWars" (the very real cyber simulator) for advanced talent. The Air Force is a little ahead of the other services on this transformation, but the Army is coming on strong.
(Shpantzer): Imagine a Venn Diagram with two circles: One is a circle, small as is, of highly trained, or at least trainable, would-be 'cyberwarriors,' however you define that. The other circle, also small, represents US citizens with an active Top Secret, if not TS/SCI/Poly clearance, or at least the desire and capacity to obtain said clearance. The AND intersection between those two already small circles is a miniscule sliver of people. Recruiting, training and especially retaining these specialists is going to be non-trivial, to say the least.
(Henry): The ability for the US to increase and successfully staff a cybersecurity force as described will require a major change to the education and development system in the country (similar, I think, to that described in the article on Israel.) Getting youth involved in high-tech programs at an early age, an augmentation of funding for STEM, and entry-level government job opportunities for high school and college students will go a long way towards moving us there. ]
Israel Strengthening its Cyber Stance (January 28, 2013)Israel is increasing its focus on cyberoperations in the military and on developing a corps of strong cyberwarriors. Soldiers are being trained in cyberdefense, offense, and intelligence. The country's National Cyber Bureau has also established a civilian high school program that identifies and trains students with talent in the cyber arena; their teachers are former intelligence corps soldiers with cyber expertise.
#javaproblems: Security Problems in Oracle's Java Persist, Despite January Patch (January 28, 2013)The new security settings in Oracle's most recent release of Java, which are meant to prevent drive-by browser attacks, are easily bypassed, according to a researcher. Several zero-day flaws in Java have recently come to light, and Java's head of security has made a commitment to securing the software. The measures employed in Java 7 Version 10, which was released in December, allow users to decide which applets can run in their browsers, but Adam Gowdiak says that all levels of the security setting can be circumvented. Gowdiak has also developed a proof-of-concept exploit that affects Java 7, Version 11, which Oracle released out-of-cycle in mid-January.
[Editor's Note (Dhamankar): Web conferencing and SSL VPN applications typically require Java-enabled browsers. I had disabled Java from my browsers, and needed to enable it to get on a web customer conference call. This is a problem for the enterprise employees. If they don't remember to turn off Java after being used, they become vulnerable!]
************************ Sponsored Links: *******************************
1) You CAN kill 0days in their tracks AND gain attributional awareness through forensic capture - attack thwarted by Invincea and analyzed here - - http://www.sans.org/info/122607 - free white paper!
2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4! http://www.sans.org/info/122612
3) SANS Survey on SCADA Security results revealed by SCADA expert, Matt Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/122617
THE REST OF THE WEEK'S NEWS
FBI Investigating Leak of US Stuxnet Involvement (January 26 & 28, 2013)The FBI is stepping up its investigation into the source of the leak of information about Stuxnet to the media. The FBI and US prosecutors are working together to analyze email and phone accounts and to interview officials to find connections to journalists who broke the story in the New York Times in June 2012. According to the NYT story, Stuxnet was a joint effort between the US and Israel that began during the Bush administration in 2006. Its goal was to hobble Iran's nuclear program. Stuxnet managed to gain purchase in computer systems at Iran's Natanz uranium enrichment facility and damage numerous centrifuges.
Google Facing Legal Action in UK Over Safari Cookies (January 28, 2013)Google is facing legal action in the UK over allegations that the company bypassed security settings on Apple's Safari web browser to place cookies on computers so they could deliver targeted advertisements to users. Last year, the US Federal Trade Commission (FTC) fined Google US $22.5 million for the same issue. One individual has launched legal proceedings against Google in the UK; the law firm involved will coordinate claims made by other individuals.
[Editor's Note (Pescatore): Based on Google's last financial release, the US fine of $22.5M equals just a bit more than 3 hours of revenue as punishment for Google violating the privacy of Safari users. Not much of a deterrent effect, but as this article points out, the costs will be end up being much higher than the initial FTC fine. ]
Anonymous Hacks US Sentencing Commission Website (January 26, 2013)The FBI is investigating a cyber attack on the website of the US Sentencing Commission (USSC). The attack was launched by the Anonymous hacking collective in response to the suicide of Aaron Swartz. Some are saying that the government's aggressive stance in its case against Swartz for downloading scholarly articles that he intended to make publicly available may have contributed to his decision to take his own life. Anonymous posted a message on the USSC website saying that they have a cache of purloined government documents that they will start to leak those if steps are not taken to reform the justice system, which presently allows violation of a terms of service agreement to be interpreted as a felony.
[Editor's Note (Pescatore): While the headlines go to the "who" and the "why" of this attack, the real issue is the "how" and, even more importantly, the "why not?" Why was the web site or web site admin vulnerable in the first place? And in the second place, since they got in again. Separation of duties and the use of simple application whitelisting on web servers are some "quick wins" for raising the bar against web site compromises. ]
WordPress Update Addresses Trio of Security Issues (January 25, 2013)WordPress developers have released an updated version of the blogging software to address 37 issues, including three security flaws. The security issues fixed in the latest version of WordPress are a cross-site scripting (XSS) flaw in an external library; a pair of XSS flaws through shortcodes and post content; and a server-side request forgery vulnerability. Users are urged to upgrade to WordPress v3.5.1 as soon as possible. Users running WordPress on IIS may encounter issues that prevent the upgrade, but developers have a workaround available if that problem arises.
Court Denies WikiLeaks Investigation Suspects' Right to Know What Companies Were Contacted for Information (January 25, 2013)A federal appeals court has ruled that three suspects in a WikiLeaks investigation do not have the right to know the companies from which the government has requested their records. Birgitta Jonsdottir, Jacob Appelbaum, and Rop Gonggrijp have been involved with WikiLeaks in various ways. The judges for the Fourth Circuit Court of Appeals wrote that "secrecy is necessary for the proper functioning of the criminal investigations at this phase
openness will frustrate the government's operations." The three suspects do know that the government has sought information about their Twitter accounts, and that the government sought information about Appelbaum's accounts from Google and Sonic.net. Both of those companies asked that the court lift the seal on the orders so that Appelbaum could know about their existence.
Appeals Court Decision:
Yahoo Requires Probable Cause Warrants for Government Requests for eMail Content (January 25 & 28, 2013)A Yahoo spokesperson said that the company requires probable cause warrants to hand over the content of users' email messages. The company has established this practice despite the fact that the Electronic Communications Privacy Act (ECPA) does not always require that warrants be obtained prior to requesting information. Yahoo began requiring warrants in early 2011 and has not experienced resistance from authorities on the matter. ECPA dates back to 1986, when email was held briefly on servers before being sent to people's inboxes, and email that remained on the servers for more than 180 days was considered to be abandoned. With the growing prevalence of web-based email services, the issue of when authorities can request the information has become murkier.
Twitter Releases Transparency Report (January 28, 2013)Twitter has also released a transparency report in which is disclosed that 19 percent of government requests for user information in the six-month period ending December 2012 came with probable cause warrants. In all, Twitter received 815 requests for account data in that period. Although Twitter did not specify what information it surrendered, it did say that it requires probable cause warrants for tweets and direct messages. Twitter's report indicates that it provides the government with at least a portion of the data requested in nearly 70 percent of requests.
Google Will Impose More Restrictions on Data Requests and Encourage Legislators to Update ECPAGoogle says it plans to establish more stringent requirements for governments requesting user data and that it will work with other large technology companies to encourage Congress to update ECPA.
[Editor's Note (Henry): There are a couple of articles here related to ECPA. Most familiar with this law recognize it needs to be revamped, if for no other reason than to keep up with the many technologies that have emerged or changed since its implementation. Privacy is and SHOULD be a primary consideration during this reconsideration, but it must be balanced with the need for our security. Eliminating or substantially curtailing the ability of the government to lawfully intercept criminal or national security-threatening communications will not serve the greater good. ]
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen year. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/